Procurement To The Rescue – How Tighter Controls Can Help Prevent Invoice Phishing Scams

We are pleased to publish this advisory post from Abid Muhammad, IT Manager at State of Flux, which provides contract lifecycle and category management, strategic sourcing and SRM.

Like supermodels, procurement often doesn’t get out of bed for less than £10,000 (spend) per day, but an email scam is highlighting why organisations need purchasing to take note of lower thresholds of spend and drive better purchase order coverage to fight these cyber criminals.

Let’s go phishing

Phishing email scams have existed for more than a decade, but they have become increasingly sophisticated and targeted in recent years. Most of us have received bogus or phishing emails. The ones from an African heir or prince are so easily recognisable, others are much more difficult to spot as they accurately mimic the style of real bank emails – until you check the sender or look at the links they contain.

Meanwhile, the growth of hosted corporate email services such as Microsoft Office 365 has not gone unnoticed by the scammers. They craft simple, effective social engineering attacks targeted at hosted email users, which ultimately lead to credential theft.

In the past few months a new email phishing scam has emerged. It uses a version of what is known as the ‘man-in-the-middle’ attack exploiting the trust that goes between the victim (who usually holds a senior position) and other contacts within the same organisation.

How the scam works

Initially the scammer will send a genuine-looking personalised email message to their potential victim, making it appear to have come from the user’s email service provider. The actual message or instructions may vary, for example ‘reset your password’ or ‘validate your account details’. However if the user is not being mindful and clicks on the embedded link it will lead them to a phishing (credential-harvesting) website. These sites are made to look like the actual web portal of their email hosting provider such as Office365.

Now that the scammers have gathered the user’s login credentials they have the ability to gain access as and when they like. They invade the mailbox and identify other contacts from the user’s organisation. They also add mail rules to delete/move messages, block certain emails, or mark emails ‘as read’ and move emails to Junk to help disguise any suspicious activity. Once the account is fully compromised, the scammer sends an email from the victim's account to the Finance/Accounts team containing a fake photo-shopped relatively low-value invoice, apparently from another genuine business establishment, but with account numbers changed. The invoice is also made to appear addressed to the victim. To make the request appear legitimate, the scammer will add a short, personalised message.

The scammer then keeps an eye on the victim’s inbox and will even reply to emails to add legitimacy to the ‘payment request’. The member of the accounts team in most cases will trust the payment request having come from the email account of their senior colleague, perhaps the CEO, and pay the invoice to the bank account on the invoice – one controlled by the scammer.

To add insult to injury, the scammer may have also downloaded a copy of the organisation’s invoice from the victim’s mailbox, and can now create more fake invoices using Photoshop to potentially defraud other businesses. Even after becoming aware of this fraud the victim’s organisation can do nothing to stop these scammers from using a copy of their invoice or from targeting their customers, partners or suppliers resulting in further reputational damage. The process continues all over again - the scammer’s end goal is two-fold, stealing credentials through personalised phishing emails and then conducting financial fraud using fake invoices.

How do we catch them?

Scammers are using a number of techniques to protect themselves from getting caught and it’s very difficult to track them down. They use VPN to hide their locations when sending emails or accessing victims’ email accounts. Bank accounts used on the fake invoices also belong to other victims of bank account frauds who are not aware that their bank accounts have been compromised and their debit cards have been cloned by scammers.

Once this is all done, it is very easy for these scammers to withdraw funds, transfer the money out or purchase cryptocurrencies.

Procurement to the rescue

Cyber security is a hot topic for all organisations and they are continuously looking to improve their information security practices and training of staff to be aware of these threats. However, this alone is not enough to safeguard against such frauds causing financial damage.

Often there is an exploitable gap in an organisation’s defences which scammers have been focusing on. That is, the scammers tend to send invoices of low value and most procurement organisations contain thresholds (often around £10,000 although some as large as £1m) before which a purchase order number is required. Currently many of these scam invoices may slip below these thresholds and the poor person in accounts payable may have 1) a large volume to deal with or 2) rely on the email of the scammed executive/victim and just pay without too much thought.

Because the individual amounts may be small for a large or medium-sized organisation, this scam may not even be picked up in a spend report, leaving that organisation unaware that a scammer is siphoning off cash for their own gain.

This scam (and others like it) help create the business case for wider or even blanket purchase order coverage and more direct purchasing involvement and responsibility. You can begin to persuade your organisation to take action now.

If you believe your organisation has been the victim of a phishing or hacking attack, please make sure you report it to Action Fraud.